MediumCISA KEVExploited in the wildPublic exploit

Microsoft SharePoint Server Spoofing Vulnerability

IdentifiersCVE-2026-32201CWE-20· Improper Input Validation

CVE-2026-32201 is an actively exploited spoofing vulnerability in Microsoft Office SharePoint / Microsoft SharePoint Server caused by improper input validation. Microsoft states that the flaw allows an unauthorized attacker to perform spoofing over a network. Reporting in the provided content indicates the issue affects on-premises SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, and is associated with SharePoint request processing. Multiple sources in the content characterize exploitation as pre-authentication, low complexity, and requiring no user interaction. Some reporting further suggests the bug may manifest similarly to cross-site scripting-style spoofing of trusted SharePoint content or interfaces, but Microsoft does not publicly specify the exact exploitation method in the provided material.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to spoof trusted SharePoint resources or user context over the network. According to Microsoft and the supporting reporting, this can enable viewing of some sensitive information and making limited changes to disclosed information, affecting confidentiality and integrity but not availability. The provided content also notes practical downstream risk including impersonation of legitimate users, unauthorized document access, falsified content presentation, phishing or social-engineering enablement inside trusted SharePoint environments, and potential follow-on activity such as credential theft, data exfiltration, or lateral movement depending on the environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce or eliminate internet exposure of SharePoint servers, place them behind VPNs, reverse proxies, or IP allowlists, and restrict access to trusted networks. Increase monitoring for anomalous authentication activity, unusual access or modification patterns, and signs of spoofed or tampered SharePoint content. Enable detailed SharePoint logging and forward logs to a SIEM. Review permissions for least privilege, rotate relevant credentials where compromise is suspected, inspect sensitive content for unauthorized changes, and apply defense-in-depth controls such as network segmentation, hardened SharePoint configuration, and WAF protections where feasible. These measures are compensating controls only and do not replace vendor patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's April 14, 2026 security updates for all affected SharePoint deployments. The provided content identifies fixes for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, including KB5002853 for Subscription Edition, KB5002854 for SharePoint Server 2019, and KB5002861 for SharePoint Enterprise Server 2016. Ensure prerequisite guidance is followed where applicable, including Workflow Manager-related requirements noted for SharePoint Server 2019 environments. Because exploitation in the wild was confirmed prior to patch availability and CISA added the issue to KEV, patching should be treated as urgent/emergency remediation.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2026-32201-exploitMaturityPoCVerified exploit

Repository contains a single Python proof-of-concept exploit script and a README. The main file, CVE-2026-32201-exploit.py, is a standalone CLI tool using requests, argparse, sys, and urllib.parse.urljoin. Its workflow is simple: first fingerprint the target by issuing a GET request to /_layouts/15/start.aspx and checking for a 200 response containing the string 'SharePoint'; if detected, it sends a crafted POST request to a configurable endpoint, defaulting to /_layouts/15/notify.aspx. The POST body includes recipient, subject, message, and sender_override, where sender_override is treated as the allegedly vulnerable parameter enabling spoofed sender identity. The script prints status code, response length, a response snippet, and basic success indicators such as 'success' or 'sent' in the response body. The exploit is network/web-based, unauthenticated in design, and intended to spoof SharePoint notifications rather than achieve code execution. The README expands on intended use, affected SharePoint versions, and possible operator customization, including arbitrary message content and endpoint fuzzing. Overall, this is a small operational PoC for testing a claimed SharePoint spoofing/input-validation issue, not a framework module and not merely a detector.

B1tBitDisclosed Apr 22, 2026pythonmarkdownnetworkweb

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationSharepoint Serverapplication

Microsoft CorporationSharepoint Server 2016application

Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

108 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

108 SOURCESView more in app

security affairsNews

May 27, 2026

SharePoint Has a New RCE Flaw. If You Haven't Patched Yet, Go Do That.

A Microsoft SharePoint Server vulnerability referenced as having been added by CISA to the Known Exploited Vulnerabilities catalog, indicating in-the-wild exploitation.

May 13, 2026

Disgruntled researcher releases two more Microsoft zero-days

A Microsoft vulnerability identified as CVE-2026-32201 that was disclosed by the researcher and later patched by Microsoft in April.

techrepublic com securityNews

Apr 22, 2026

Microsoft Patch Still Leaves 1,300 SharePoint Servers Exposed

A Microsoft SharePoint spoofing vulnerability caused by improper input validation that allows an unauthorized attacker to perform spoofing over a network.

cyber security newsNews

Apr 22, 2026

1,370+ Microsoft SharePoint Servers Vulnerable to Spoofing Attacks Exposed Online - Cyber Security News

A spoofing vulnerability in Microsoft SharePoint Server caused by improper input validation in request processing that allows an unauthenticated remote attacker to bypass authentication checks and impersonate legitimate users to access or manipulate sensitive data.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures3

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity81

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-32201

NVD

nvd.nist.gov/vuln/detail/CVE-2026-32201

MITRE CWE · CWE-20

Improper Input Validation

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201

Third Party Advisory

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-32201